ICMP echo-replies not wanted

Unanswered Question

I have a 2620 as the Internet gateway with the IOS firewall. I have set the ACL on the serial interface to only allow echo-replies, timeouts, unreachables, and source-quench messages. This would imply that echo is denied. When I try to ping the serial interface from a host on the Internet, I get a destination net unreachable reply. Is there a way to make the response be a request timed out?


Running Config

Current configuration : 2450 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname internet-router

!

no logging console

enable secret 5 $1$lXDY$EColL5xiDhpTbrPqrHXIz.

!

ip subnet-zero

!

!

ip name-server 64.30.6.6

ip name-server 64.9.32.6

!

ip inspect audit-trail

ip inspect name RULESOUTBOUND tcp

ip inspect name RULESOUTBOUND udp

ip inspect name RULESOUTBOUND cuseeme

ip inspect name RULESOUTBOUND ftp

ip inspect name RULESOUTBOUND h323

ip inspect name RULESOUTBOUND realaudio

ip audit notify log

ip audit po max-events 100

!

no call rsvp-sync

!

!

!

!

!

!

!

!

interface FastEthernet0/0

description connected to EthernetLAN

ip address 10.1.0.5 255.255.255.0

no ip proxy-arp

ip nat inside

ip inspect RULESOUTBOUND in

duplex auto

speed auto

no cdp enable

!

interface Serial0/0

description connected to Internet

ip address 64.30.2.242 255.255.255.252

ip access-group 101 in

no ip proxy-arp

ip nat outside

encapsulation ppp

no service-module t1 remote-loopback full

service-module t1 remote-loopback payload v54

service-module t1 timeslots 1-8

service-module t1 remote-alarm-enable

no cdp enable

!

interface Serial0/1

no ip address

shutdown

!

ip nat inside source list 1 interface Serial0/0 overload

ip nat inside source static tcp 10.1.0.4 25 interface Serial0/0 25

ip nat inside source static tcp 10.1.0.20 80 interface Serial0/0 80

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0

ip route 10.2.0.0 255.255.255.0 10.1.0.1

ip route 10.3.0.0 255.255.255.0 10.1.0.1

ip route 10.4.0.0 255.255.255.0 10.1.0.1

ip route 10.5.0.0 255.255.255.0 10.1.0.1

ip route 64.0.0.0 255.0.0.0 64.30.2.241

no ip http server

!

logging trap warnings

logging 10.1.0.4

access-list 1 permit 10.1.0.0 0.0.255.255

access-list 1 permit 10.2.0.0 0.0.255.255

access-list 1 permit 10.3.0.0 0.0.255.255

access-list 1 permit 10.4.0.0 0.0.255.255

access-list 1 permit 10.5.0.0 0.0.255.255

access-list 101 permit tcp any host 64.30.2.242 eq www

access-list 101 permit tcp any host 64.30.2.242 eq smtp

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any source-quench

access-list 101 permit icmp any any unreachable

access-list 101 deny icmp any any echo

no cdp run

!

snmp-server community public RO

snmp-server enable traps tty

!

dial-peer cor custom

!

!

!

gateway

!

!

!

line con 0

exec-timeout 0 0

password 7 09784B0A11

login

line aux 0

line vty 0 4

password 7 09784B0A11

login

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
donewald Tue, 11/19/2002 - 07:29
User Badges:
  • Silver, 250 points or more

Try "no ip unreachables" on your Serial 0/0 interface.


Hope that helps,

Don

Actions

This Discussion